Entra / Microsoft 365 · Compliance & audit
Report retention label assignments
Report on retention label assignments in a tenant for the last 30 days.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-ExchangeOnline -ShowBanner:$false
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
param([int] $LookbackDays = 30,[string] $StartDate = (Get-Date).AddDays(-$LookbackDays),[string] $EndDate = "Get-Date")[array]$Modules = Get-Module | Select-Object -ExpandProperty NameIf ($Modules -notcontains "ExchangeOnlineManagement") {Connect-ExchangeOnline -ShowBanner:$false}Write-Host "Connecting to the Compliance endpoint to fetch retention policy information..."Connect-IPPSSession -ShowBanner:$false# Get retention policy information[array]$RetentionPolicies = Get-RetentionCompliancePolicy | Sort-Object Name$RetentionPolicyHash = @{}ForEach ($Policy in $RetentionPolicies) {$RetentionPolicyHash.Add([string]$Policy.Guid, $Policy.Name)}# Get retention policy rule information[array]$RetentionPolicyRules = Get-RetentionComplianceRule$RetentionRuleHash = @{}ForEach ($Rule in $RetentionPolicyRules) {$RetentionRuleHash.Add([string]$Rule.Guid, [string]$Rule.Policy)}[array]$SharePointAutoLabelId = 'eba15bfd-c28e-4433-a20e-0278888c5825', 'a405a596-28e7-43c6-8ac7-76e0fc13ee0f'# Search for TagAdded eventsWrite-Output "Searching for TagApplied events..."[array]$Records = Search-UnifiedAuditLog -Operations TagApplied -StartDate $StartDate -EndDate $EndDate -Formatted -SessionCommand ReturnLargeSet -ResultSize 5000If ($Records.Count -eq 0) {Write-Output "No TagApplied events found in the last 30 days"Break} Else {# Get rid of duplicates and make sure that audit records are sorted by date$Records = $Records | Sort-Object Identity -Unique$Records = $Records | Sort-Object {$_.CreationDate -as [datetime]} -DescendingWrite-Output ("Processing {0} retention label assignment events..." -f $Records.Count)}$Report = [System.Collections.Generic.List[Object]]::new()ForEach ($Rec in $Records) {$UserName = $null$AuditData = $Rec.AuditData | ConvertFrom-JsonIf ($AuditData.UserType -eq "CustomPolicy") {$RuleId = $Rec.UserIdsIf ($RuleId -in $SharePointAutoLabelId) {$UserName = "SharePoint Auto Label Process"} Else {$PolicyId = $RetentionRuleHash[$RuleId]If ($null -eq $PolicyId) {$UserName = "Unknown"} Else {$UserName = $RetentionPolicyHash[$PolicyId]}}} Else {$UserName = $Rec.UserIds}$ReportLine = [PSCustomObject][Ordered]@{TimeStamp = Get-Date $Rec.CreationDate -format 'dd-MMM-yyyy HH:mm:ss'User = $UserNameAssignment = $AuditData.UserTypeFile = $AuditData.SourceFileNameLabel = $AuditData.DestinationLabelSiteUrl = $AuditData.SiteUrlFolder = $AuditData.SourceRelativeUrl}$Report.Add($ReportLine)}Write-Host "All done!"$Report | Out-Gridview -Title 'Retention Label Assignment events'
Parameters
ParameterDefaultNotes
-LookbackDays30Number of days back to search the unified audit log.-StartDate(Get-Date).AddDays(-30)Start of the reporting window.-EndDateGet-DateEnd of the reporting window.Attribution
Author
Office365itpros